Threat Briefing: November 1, 2024

Credential theft remains a key objective for cyber threat actors, who use a variety of tactics—such as deploying information-stealing malware, operating botnets, and creating phishing pages—to capture this critical data. Cybercriminals continually build new infrastructure and launch campaigns to obtain these valuable credentials.

This week, however, brought positive news for the cybersecurity community: an international law enforcement operation successfully disrupted the infrastructure supporting the RedLine and META information stealers. While cybercriminals will likely adapt, this disruption is expected to slow down their efforts. This action also highlights the collaborative efforts among governments to counter cyber threats globally.

• Black Basta Ransomware Actors Utilizing Microsoft Teams Chat To Target Victims – Victims are inundated with a high volume of spam emails and are added to Microsoft Teams chats with an unknown external user posing as a Help Desk account. They are then instructed to scan a download for a remote monitoring and management tool, such as QuickAssist or AnyDesk, to allow access to their system. Victims are also asked to scan a QR code that links to a domain impersonating their brand, though the exact purpose of the QR code remains unclear. Reliaquest
• Chinese Cyber Threat Actors Utilize Network of Compromised Devices to Steal Credentials – The activity is carried out using a botnet identified as CovertNetwork-1658, which consists of SOHO routers and VPN appliances. The botnet exploits security vulnerabilities to gain access to compromised devices. Microsoft estimates that, on average, 8,000 devices are affected by CovertNetwork-1658. The credentials harvested from these devices have been used by a group known as Storm-0940, which has targeted organizations in the U.S. and Europe, including law firms, government agencies, and non-governmental organizations. Microsoft
• Developer of RedLine Infostealer Indicted by U.S. Government – Maxim Rudometov, a Russian national, was indicted for his involvement as a developer and manager of the infrastructure supporting the RedLine infostealer. As part of a coordinated law enforcement operation between U.S. and European agencies, the infrastructure for both RedLine and the META infostealer was disrupted. The operation led to the seizure of Telegram accounts, servers, and domains used to support these malicious campaigns. U.S. Attorney’s Office, Western District of Texas
• SYS01stealer Malware Delivered Via Compromised Facebook Accounts – The malware is designed to steal user credentials, cookies, and information related to Facebook business accounts and ad data. Compromised Facebook accounts are used to create malicious ads that help further spread the SYS01stealer. These ads promote various technology and entertainment services, primarily targeting middle-aged men. Additionally, SYS01stealer has been distributed through ads on YouTube and LinkedIn. The Hacker News
• 2,000 Fake Webpages Created for Phishing Using Xiū gǒu Kit – Since September 2024, a phishing kit has been used to target victims in the U.S., U.K., and Australia, with impacted sectors including financial services, technology, and government. Built using Golang and Vue.js, the phishing kit is capable of exfiltrating data to Telegram. Victims receive RCS messages containing a shortened link that directs them to a malicious domain when clicked. The Hacker News